Collaborate Disseminate
I’m testing this application which is properly validating origin header on the sever side. However, if I add any domain and the expect domain as port, application still consider this valid.
Origin: https://random-domain.com:expected-domain… Continue reading Can the Origin header have alphabetical port or parameters in a real-life scenario?
This application sends data to the server in JSON and checks for the content-type header, but I was able to bypass this, but it sends another custom header which is not a secret token or something which may have acted like an actual CSRF t… Continue reading Are application using custom header instead of CSRF token safe?
So I’m by no means a security expert. I’m just a recently graduated software developer who is working on a contract project and I want to ensure I’m taking appropriate security measures for my client.
Essentially, my program functions as a… Continue reading Internal HTTPS recommended security practices
This application is not using any CSRF token and not even cookies to identify users on their server. All they do is use a authorization header to identify users. Since an attacker doesn’t know value of this header he can’t send cross site … Continue reading This application is not using CSRF token but they are still able to protect sensitive actions on the site
I found that this application has not properly configured CORS, an attacker can send requests from any origin and allow credentials header is also true.
The idea was to extract CSRF token and then change email/phone to takeover the accoun… Continue reading Stuck in a tricky situation, not able to exploit misconfigured CORS
.htaccess is now a very common URL rewrite to make it SEO friendly and cover the database IDs.
What are the ways to explore php file on the server given to URL via .htaccess?
Example :
The URL is www.domain.com/news/56.
I expect to fin… Continue reading How to find PHP filename and ID of the URL?
American here. I’m not a hacker or anything, just a normal computer science student. Anyways, I believe that my university has left an exploit open through their hub where anyone can use the modular apps to gain access to your:
Last 4 dig… Continue reading Is It Illegal To Test For Exploits?
When securing my device (ubuntu) I noticed strange ufw logs. I am behind a router which should be blocking these kinds of requests? I realise these are using port 443 but I was under the impression that my outgoing connections to a website… Continue reading Strange ufw logs
So my phone was stolen but it has a PW. Could the thief reset it somehow & access to the gallery or my SD cards? Personal pics of me that i don’t want leaked. Plus how do i even know they’ve been leaked? Thanks
It’s a Samsung
… Continue reading Could the thief who stole my phone access my pics?
So I came across a shady NSFW site (camvideos dot tv). It might be spying on my cam or have a virus. Could anyone please confirm? Thanks.
Continue reading Would this website be potentially risky? [closed]